Security researchers at Kaspersky have identified a new variant of Python-based adware, PBot, that is wreaking havoc on browser security. Similar to recent malware threat Zacinlo, PBot is super-powered adware that can add malicious extensions to victims’ browsers after infiltrating their systems. Although PBot was first detected a year ago, the current version is more obscure and not as easy to identify.
The prime victims
PBot is currently targeting users in Ukraine, Russia, and Kazakhastan. Researchers have identified 50,000 attempts to install PBot on computers running Kaspersky lab products; install attempts have continued to increase as well.
How PBot infects systems
As always, third-party or anonymous websites are the primary source of adware like PBot. When a user visits any of the targeted websites, a pop-up ad is displayed; when clicked, this ad takes the user to a download page for PBot that’s disguised as a legitimate software page.
If the user clicks anywhere on that website, a file named update.hta is downloaded on their system. Once opened, this file triggers the installation of PBot, with some assistance from an anonymous remote command-and-control server. During the installation process, PBot saves a few Python scripts and a browser extension on the victim’s computer, and then executes the Python scripts using Windows Task Scheduler.
What exactly is PBot’s full potential?
After infecting the victim’s browser, PBot uses the brplugin.py script to create a DLL file and then installs an ad extension in the infected browser. Once done, this extension starts displaying numerous ads in the browser, redirecting the user to the advertiser’s website. Below is a screenshot of one of PBot’s typical ads.
The developers of PBot are continuously releasing updates to make this adware more sophisticated and obscure.
How to evade PBot
Setting up proper browser security and firewall protection is the best way to avoid a PBot infection. As your organization’s IT administrator, you need to prevent users from visiting unwanted websites and limit their network traffic through best-practice firewall configurations. You should also monitor the software inside your network to identify any prohibited applications or EXE files hiding on user computers.
Along with the proactive work of administrators like yourself, users also have to take care of their system protection by not downloading any apps from anonymous or third-party websites. User education is always critical.
If you’re wondering how and where to start with this daunting IT security procedure we mentioned, Desktop Central could be your ideal partner in endpoint security and device management.